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| am delighted to take this opportunity to provide the undernoted response regarding the 
above consultation, on behalf of the Police Service of Scotland. 


This response has been considered by colleagues from several key departments, including 
our Safer Communities — Cybercrime Harm Prevention, Public Protection Unit, Children & 


Young People and Equality & Diversity Departments. 


The following areas are provided for consideration in developing the code. For clarity, the 
response is based on the structure of the ICO Call for evidence document. 


Section 1: Your views and evidence 


Development needs of children at different ages 


The Act requires the Commissioner to take account of the development needs of children at 


different ages when drafting the Code. 
The proposed age ranges are as follows: 


3-5 
6-9 
10-12 
13-15 
16-17 
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Q1. In terms of setting design standards for the processing of children's personal data 
by providers of ISS (online services), how appropriate you consider the above age 
brackets would be? 


Response: Quite appropriate (selected from available options within questionnaire) 


Q1A. Please provide any views or evidence on how appropriate you consider the above 
age brackets would be in setting design standards for the processing of children's 
personal data by providers of ISS (online services). 


Response: The above age ranges appear suitable, and in line with the ranges used by 
Education/Child Development practitioners for the key Child Development stages/milestones. 
The ranges also appear consistent with PEGI ratings used for other digital services accessed by 
children/young people. 


Q2. Please provide any views or evidence you have on children’s development needs, in 
an online context in each or any of the above age brackets. 


Response: The child developmental needs milestones are reflected in the above age brackets, 
albeit in respect of technology children access services through learned behaviour (from 
parents, siblings, peers) as opposed to understanding how the technology gets them there. 


Without a level of reasonable understanding of the risks etc. this can make children more 
vulnerable to predators, safe boundaries and protecting their data/private information in the 
online environment. 


It is suggested that service providers embed processesffilters and default settings as standard 
which protect the Rights of the Child/Privacy. These measures should be implemented at the 
design stage, and be a standard security feature and not an ‘opt in’ feature. 


For example, for services accessed by younger age bracket (3-5) one design feature could be 
incorporating the Rights of the  child/Protecting your privacy into the 
storyline/characters/services being provided. 


The United Nations Convention on the Rights of the Child 
The Data Protection Act 2018 requires the Commissioner to take account of the UK's 
obligations under the UN Convention on the Rights of the Child when drafting the Code. 


Q3. Please provide any views or evidence you have on how the Convention might apply 
in the context of setting design standards for the processing of children's personal data 
by providers of ISS (online services). 


Response: The Design Code should first and foremost reflect the views/needs of children, who 
should be involved in designing standards/requirements of the Code from the outset. It is 
suggested there should be meaningful engagement and consultation with children/young 
people, ensuring products/services uphold the Rights of the Child. It is envisaged that 
fundamental design features/values which acknowledge this, will empower children to learn and 
develop safely through technology. 


Aspects of design 
The UK Government has provided the Commissioner with a list of areas which it proposes she 


should take into account when drafting the Code, such as default privacy settings; use of geo- 
location technology and automated and semi-automated profiling. 
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Q4. Please provide any views or evidence you think the Commissioner should take into 
account when explaining the meaning and coverage of these terms in the code. 


Response: Providing practical examples of what these mean in real terms to children, parents/ 
carers and those with responsibility for children and young people, enabling them to make 
informed decisions. By highlighting the importance of protecting their data and information, 
signposting children to appropriate individuals/organisations, such as CEOP, which can provide 
trusted advice should they require additional support. 


Default setting — It is suggested these set at the highest privacy setting possible, 
safeguarding Children’s rights from the outset. Consideration should be given to 
separating into categories requiring Parental consent (Below 13 years or older if deemed 
appropriate), Parental Consent optional (13 years and above). 


Data Minimisation standards — Why should children’s data be shared at all? Services 
should be required to justify/satisfy specific criteria prior to requesting any children’s data 
or sharing this information. Should children’s information be obtained/retained, this 
should be encrypted should the service be compromised. 


The presentation and language of terms and conditions and privacy notices — This 
should be the minimum required to clearly explain terms, in plain language and age 
appropriate for different age ranges/development stages. Consideration should be given 
to engagement with children/young people to co-design terms and conditions. 


Uses of geo-location technology — Consideration should be given to this being set to 
off by default. Otherwise consideration should be given to notification being sent to 
parent/carer should this be activated by young children (Under 13 years or older if 
deemed appropriate). 


Automated and semi-automated profiling — This should not be a design feature 
particularly for younger age range (below 13 years), and should only be an option for 13 
years and above only where express consent has been given. 


Transparency of paid-for activity such as product placement and marketing — No 
adverts or “Pop- Ups” should be permitted, particularly for under 13 years. Where “Paid 
for activity” is a feature, notification should be forwarded to parents/carers (default for 
under 13 years, and option to notify for 13 years and above) giving consent for use of 
service. 


Sharing and resale of data — This should not be an option 


Strategies used to encourage extended user engagement- Conversely, the 
wellbeing of children/young people should be the main consideration of user 
engagement. For children under 13 years, consideration should be given to providing 
option/function setting healthy time limits for screen use. These limits should be agreed 
with parents/carers, functionality should include notification to child/parent once this time 
limit is reached/approaching, along with “Wellbeing” message. Consideration should also 
be given to provision of child/parental agreement contract setting healthy daily/weekly 
time limits. For young people aged 13 years and above, option for young people to set 
limits in agreement with parents. 
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User reporting and resolution processes and systems — This should be in plain, easy 
to understand language appropriate for various age ranges, and agreed time frame 
provided which guarantees the child/parent is provided with update on progress or 
confirming report has been resolved/concluded. Consideration could also be given to 
using software (Al — Artificial Intelligence programs) which identifies inappropriate 
language (relevant for different age ranges), particularly for children under 13 years, with 
notification process for parents/carers. This notification could also contain suitable 
advice/links to relevant support agencies. 


The ability to understand and activate a child’s right to erasure, rectification and 
restriction — Consideration could be given to requiring ISS providers use BLOCKCHAIN 
technology, which ensures every internet transaction relative to any action has a clear 
audit trail, potentially enabling erasure of unwanted online material relating to a 
child/young person. 


Consideration should also be given to embedding warnings/notification system prior to a 
child uploading any material onto an ISS platform, notification could also be forwarded to 
parent/carer in respect of children under 13 years. 


The ability to access advice from independent, specialist advocates on all data 
rights — Design features should include default advice/links to advocacy/support 
agencies are provided for  child/young person (particularly where above 
reporting/rectification processes are initiated). 


Q5. Please provide any views or evidence you have on the following: 


Q5A.The opportunities and challenges you think might arise in setting design standards 
for the processing of children’s personal data by providers of ISS (online services), in 
each or any of the above areas. 


Response: The opportunities arising from the Design code could be: 


Enable and empower children (via parents/carers and those with responsibility for young 
people) to be taught and acknowledge their online rights, safety and protection at an 
early stage, similar to learning used for other safety themes such as road safety etc. 
Create mutual respect and trust from an early age between young person and 
parent/carer/person with responsibility for a child or young person. 

Ensuring these basic rights are regarding and upheld throughout their adolescence and 
into adulthood. 

Raising general awareness amongst children, parents/carers, ISS providers of the 
Children’s Rights and need to continually respect and safeguard. 

Presents opportunities for ISS providers to deliver on their corporate social 
responsibilities and set the standard for other providers to follow. Demonstrating their 
commitment in the business strategies/model could enhance their reputation, customer 
base, wellbeing of the consumer. 


Response: The challenges arising for the Design code could be: 


The main challenge is the global culture change required around use of technology to 
gather, access and share personal data, particularly in relation to children, ensuring 
children are empowered to consider/take steps which protect their data. 

Regulating ISS Providers ensuring they fulfil their obligations as outlined in the Design 
Code. 
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e Children and young people may see it as an infringement to their freedom to access the 
internet without intrusion from parents/carers or those with responsibility for children and 
young people. 

e Children may manipulate terms and conditions, parental consent to bypass any new 
design features, similar to that experienced by the gaming industry, where young 
‘hackers’ first utilise their skills to by-pass settings on games. 

e Achieving “by-in” for ISS providers, who may view it as a barrier to their overarching 
objectives (increasing users, data collection, financial opportunities etc.) 


Q5B. How the ICO, working with relevant stakeholders, might use the opportunities 
presented and positively address any challenges you have identified. 

Response: Highlighting the opportunities presented to ISS providers to drive change and set 
new improved standards within their industry. Gaining their support would demonstrate 
corporate social responsibility, therefore enhancing their reputation, increasing public 
confidence/trust and ultimately user engagement. 


Q5C. What design standards might be appropriate (i.e. where the bar should be set) in 
each or any of the above areas and for each or any of the proposed age brackets. 


Response: As detailed in Q4. 
Q5D. Examples of ISS design you consider to be good practice. 


Response: Facebook Messenger for Kids — a ring fenced network that needs parental approval 
before use, and has stricter guidelines for obtaining/sharing children's data. 


Q6. If you would be interested in contributing to future solutions focussed work in 
developing the content of the code please provide the following information. The 
Commissioner is particularly interested in hearing from bodies representing the views of 
children or parents, child development experts and trade associations representing 
providers of online services likely to be accessed by children, in this respect. 

Response: Police Scotland contact details will be provided to Commissioner's office. 


Further views and evidence 


Q7. Please provide any other views or evidence you have that you consider to be 
relevant to this call for evidence. 


The Design Code should be structured around the protection of children and young people and 
not devices and service providers. The framework should set the minimum standards required to 
protect young people, and service providers should mould their products and supporting policy 
and procedures that adhere to these standards. 


The Design Code requires that all ISS providers have overarching strategies, policies and 
values which fundamentally ensure children’s rights, particularly around privacy, safety and 
protection are acknowledged and safeguarded from the very outset. This should be 
demonstrated at an early stage, particularly in the design/architecture of platforms, and 
continually taking into account emerging risks or behaviour change. 

| trust you find this of assistance. If you require any further information or wish to discuss any 
points of clarity, please do not hesitate to contact Police Scotland at your convenience. The 
single point of contact in the first instance is currently 


Yours sincerely 
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Local Policing 
Police Scotland 
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